Is This a trojan horse?

  • Thread starter Thread starter Yogi Bear
  • Start date Start date
Y

Yogi Bear

Hi all,

I found there is a ssdt hook to ntconnectport function (0x1f) in my windows xp sp2,
the function address was changed to 0x86xxxxxx (which was changed after reboot) and
not within any module(RootkitRevealer and RkUnhooker show "unknown module filename").
maybe it's a trojan horse?

sorry for my english and TIA
 
Hi all,

I found there is a ssdt hook to ntconnectport function (0x1f) in my
windows xp sp2,
the function address was changed to 0x86xxxxxx (which was changed after
reboot) and
not within any module(RootkitRevealer and RkUnhooker show "unknown module
filename").
maybe it's a trojan horse?

sorry for my english and TIA
Try running F-Secure Rescue CD :
http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip .
It will scan for rootkits as well as virae. You need a USB stick to copy the
downloaded definitions which will be used after booting from the CD.
 
From: "Allan" (e-mail address removed)



| Try running F-Secure Rescue CD :
|
| http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip .
|
| It will scan for rootkits as well as virae. You need a USB stick to copy the
|
| downloaded definitions which will be used after booting from the CD.

| --
| Allan


No it won't. There is no such thing as; virae, viri, or virii.
The plural for virus is viruses.

http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
http://linuxmafia.com/~rick/faq/plural-of-virus.html
 
Allan said:
Try running F-Secure Rescue CD :
http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip .
It will scan for rootkits as well as virae. You need a USB stick to copy the
downloaded definitions which will be used after booting from the CD.

Thank you.

but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook as a rootkit.
maybe one of windows update patch did it. could you please check your windows whether or not exists
such as a ssdt hook to ntconnectport function?

thank you again
 
From: "Yogi Bear" <[email protected]>

| Thank you.

| but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook
| as a rootkit.
| maybe one of windows update patch did it. could you please check your windows whether
| or not exists
| such as a ssdt hook to ntconnectport function?

| thank you again

After I contacted Gmer, Gmer pointed out the following URL...
http://www.gmer.net/rootkits.php

Specifically at the end of the page find the example; "RioDrvs.sys".
 
David H. Lipman said:
From: "Yogi Bear" <[email protected]>

| Thank you.

| but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook
| as a rootkit.
| maybe one of windows update patch did it. could you please check your windows whether
| or not exists
| such as a ssdt hook to ntconnectport function?

| thank you again

After I contacted Gmer, Gmer pointed out the following URL...
http://www.gmer.net/rootkits.php

Specifically at the end of the page find the example; "RioDrvs.sys".

Thank you, the information is great.
There is a linkinfo.dll in \WINDOWS\system32\, file description is "Windows Volume Tracking"
but there isn't a RioDrvs.sys in \WINDOWS\system32\drivers\, there are two files rio8drv.sys and riodrv.sys
which file description both are "S3/Diamond Multimedia Systems".
Specifically gmer didn't report linkinfo.dll as a rootkit.
I'm confused. :(
 
From: "Yogi Bear" <[email protected]>


| Thank you, the information is great.
| There is a linkinfo.dll in \WINDOWS\system32\, file description is "Windows Volume
| Tracking"
| but there isn't a RioDrvs.sys in \WINDOWS\system32\drivers\, there are two files
| rio8drv.sys and riodrv.sys
| which file description both are "S3/Diamond Multimedia Systems".
| Specifically gmer didn't report linkinfo.dll as a rootkit.
| I'm confused. :(

The McAfee Blog URL was only an example basd upon your query. It wasn't to to suggest you
had ithe Trojan mentioned in it.
 
Back
Top